-
Notifications
You must be signed in to change notification settings - Fork 7
Governance Policies Azure Web Static Web Apps
Governance policies for Static Web Apps
Domain: azure-web
| Name | Description |
|---|---|
| Static Web App with linked backend and custom auth | Standard SWA with managed identity, linked backend API, and Entra ID authentication |
| Description | Instead |
|---|---|
| Do not use Free tier for production workloads | Use Standard SKU which provides SLA, private endpoints, and enterprise features |
| Do not rely on default GitHub auth for enterprise applications | Configure custom authentication with Microsoft Entra ID in staticwebapp.config.json |
| Check | Severity | Description |
|---|---|---|
| AZ-SWA-001 | Required | Deploy Azure Static Web Apps with Standard SKU, managed identity, and enterprise-grade auth |
| AZ-SWA-002 | Required | Configure custom authentication with identity providers in staticwebapp.config.json |
| AZ-SWA-003 | Recommended | Enable enterprise-grade CDN for global content distribution |
| AZ-SWA-004 | Recommended | Configure custom domain with managed SSL certificate |
Deploy Azure Static Web Apps with Standard SKU, managed identity, and enterprise-grade auth
Severity: Required
Rationale: Standard SKU enables custom auth, private endpoints, and enterprise features; managed identity secures backend API connections
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Web/staticSites
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Web/staticSites/config | appsettings | Application settings for backend API configuration — never embed secrets directly |
| Microsoft.Network/privateEndpoints | pe-swa | Private endpoint for Static Web App (Standard SKU only) |
| Microsoft.Network/privateDnsZones | privatelink.azurestaticapps.net | Private DNS zone for Static Web App private endpoint resolution |
| Microsoft.Web/staticSites/linkedBackends | linked-backend | Linked backend API (e.g., Container Apps, Functions) for managed API routing |
Configure custom authentication with identity providers in staticwebapp.config.json
Severity: Required
Rationale: Default GitHub auth is insufficient for enterprise; custom auth enables Entra ID and other IdPs
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.Web/staticSites
Enable enterprise-grade CDN for global content distribution
Severity: Recommended
Rationale: Enterprise CDN provides edge caching, WAF integration, and custom domains with managed certificates
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Web/staticSites
Configure custom domain with managed SSL certificate
Severity: Recommended
Rationale: Managed certificates auto-renew and eliminate manual certificate management
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Web/staticSites
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration